diff --git a/src/docker.js b/src/docker.js
index 6e13b130c..23de06a46 100644
--- a/src/docker.js
+++ b/src/docker.js
@@ -354,7 +354,7 @@ async function createSubcontainer(app, name, cmd, options) {
             CpuShares: app.cpuShares,
             VolumesFrom: isAppContainer ? null : [ app.containerId + ':rw' ],
             SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
-            CapAdd: ['ALL'],
+            CapAdd: [],
             CapDrop: [],
             Sysctls: {}
         }
@@ -389,20 +389,20 @@ async function createSubcontainer(app, name, cmd, options) {
     const capabilities = manifest.capabilities || [];
 
     // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
-    // if (capabilities.includes('net_admin')) {
-    //     containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
-    //     // ipv6 for new interfaces is disabled in the container. this prevents the openvpn tun device having ipv6
-    //     // See https://github.com/moby/moby/issues/20569 and https://github.com/moby/moby/issues/33099
-    //     containerOptions.HostConfig.Sysctls['net.ipv6.conf.all.disable_ipv6'] = '0';
-    // }
-    // if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
-    // if (!capabilities.includes('ping')) containerOptions.HostConfig.CapDrop.push('NET_RAW'); // NET_RAW is included by default by Docker
+    if (capabilities.includes('net_admin')) {
+        containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
+        // ipv6 for new interfaces is disabled in the container. this prevents the openvpn tun device having ipv6
+        // See https://github.com/moby/moby/issues/20569 and https://github.com/moby/moby/issues/33099
+        containerOptions.HostConfig.Sysctls['net.ipv6.conf.all.disable_ipv6'] = '0';
+    }
+    if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
+    if (!capabilities.includes('ping')) containerOptions.HostConfig.CapDrop.push('NET_RAW'); // NET_RAW is included by default by Docker
 
-    // if (capabilities.includes('vaapi') && safe.fs.existsSync('/dev/dri')) {
-    //     containerOptions.HostConfig.Devices = [
-    //         { PathOnHost: '/dev/dri', PathInContainer: '/dev/dri', CgroupPermissions: 'rwm' }
-    //     ];
-    // }
+    if (capabilities.includes('vaapi') && safe.fs.existsSync('/dev/dri')) {
+        containerOptions.HostConfig.Devices = [
+            { PathOnHost: '/dev/dri', PathInContainer: '/dev/dri', CgroupPermissions: 'rwm' }
+        ];
+    }
 
     containerOptions = _.extend(containerOptions, options);